使用 Microsoft.Graph 获取当前应用程序权限 [英] Using Microsoft.Graph to get current application permissions

问题描述

我的 C# 程序使用 Microsoft.Graph Nuget.并且它需要能够确保它拥有正确的 Microsoft Graph 应用程序权限.

My C# program uses the Microsoft.Graph Nuget. And it needs be able to ensure that it has the correct Microsoft Graph application permissions.

我知道如何在 AD 中添加权限，但我希望我的程序能够测试它是否具有所需的权限.

I know how to add permissions in AD, but I want my program to be able test it has the permissions it needs.

我想要实现的示例:

var graphClient = new GraphServiceClient(authenticationProvider);

if(!graphClient.GetPermissions().Contains("AdministrativeUnit.Read.All"))
{
    throw new Exception("Missing Permission AdministrativeUnit.Read.All")
}

提前致谢！

推荐答案

任重而道远.

这里我提供Microsoft Graph beta版的大致思路(通过HTTP方式):

Here I provide a general idea of Microsoft Graph beta version(through HTTP method):

1. 根据App ID获取servicePrincipal的Object ID:GEThttps://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq'{App ID}'.
2. 获取appRole信息(应用权限信息)基于步骤 1 中的对象 ID:GEThttps://graph.microsoft.com/beta/servicePrincipals/{Object ID}/appRoleAssignedTo.
3. 获取 appRoleID 和 Microsoft Graph 应用程序权限名称的匹配列表:GEThttps://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq'00000003-0000-0000-c000-000000000000'.请注意00000003-0000-0000-c000-000000000000"是一个固定值，即表示 Microsoft 内部 Graph App 的 App ID.
4. 比较第 2 步和第 3 步的结果，您就会知道哪个应用程序权限位于您的 Azure AD 应用程序中.

1. Get the Object ID of the servicePrincipal based on the App ID: GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '{App ID}'.
2. Get the appRole information (the application permission information) based on the Object ID from step 1: GET https://graph.microsoft.com/beta/servicePrincipals/{Object ID}/appRoleAssignedTo.
3. Get a match list of appRoleID and Microsoft Graph application permission name: GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'. Please note that "00000003-0000-0000-c000-000000000000" is a fixed value， which represents the App ID of the Microsoft internal Graph App.
4. Compare the results of the 2nd and 3rd steps and you will know which application permissions are in your Azure AD app.

顺便说一句，Get appRoleAssignment 目前只有 beta 版本，不建议使用 beta 版本 api.

By the way, Get appRoleAssignment is only available in beta version currently, but beta version api is not recommended to use.

Microsoft Graph 中/beta 版本下的 API 可能会发生变化.不支持在生产应用程序中使用这些 API.

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

这篇关于使用 Microsoft.Graph 获取当前应用程序权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！